Six new security features for Windows Server 2022

Shielded

Fine Tuning with Group Policies

As an alternative to WAC, you can control the functions of the Secured-core server through group policies. The options are found in the Group Policy Management Editor under Computer Configuration | Policies | Administrative Templates | System | Device Guard . Use the Turn on Virtualization Based Security setting when you get there.

If you enable this setting, four drop-down boxes in the options area control the details (Figure 2). The first option for the platform security level enables Secure Boot with or without DMA protection. Not Configured means that the group policy will not change the HVCI status already in place on a target machine. Enabled without lock is equivalent to the state that you can enable in WAC. HVCI is enabled in this case and can also be disabled again with a group policy. The Enabled with UEFI lock option links the HVCI status to the target's local UEFI, if compatible. In this case, the function can no longer be disabled remotely, whether by WAC or by group policy.

Figure 2: Group policies centrally control the functions of the Secured-core server.

The memory attributes table checkbox ensures that VBS and HVCI are only used on systems with a compatible UEFI. Microsoft otherwise warns about crashes, data loss, or incompatibility when you install physical expansion cards. Credential Guard is not one of the six core functions of the Secured-core server, but it uses VBS as a basis for protecting credentials. The options are identical to those of HVCI. Credential Guard can also be connected to a local UEFI. Finally, the Secure Boot configuration option controls whether or not system monitoring should be enabled.

In Computer Configuration | Policies | Administrative Templates | System | Kernel DMA Protection you find Enumeration policy for external devices incompatible with Kernel DMA Protection . This setting decides whether the target system generally blocks or allows devices whose drivers do not support DMA remapping. By default, the third option specifies that these devices only work as long as a user is logged in and the screen is not locked.

Conclusions

Secured-core server uses all the security features of modern hardware and virtualization infrastructures. Provided UEFI and device drivers are suitable, the setup involves just a few steps. Secured-core server reduces the attack surface of Windows Server 2022 at no additional cost and with the least possible overhead.

Infos

OEM process for Secure Boot: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
Using TPM on Windows: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm#tpm-in-windows
Root of trust for protecting Windows: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows
Kernel DMA protection for Thunderbolt: https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt
Virtualization-based security for Windows: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-CE292D3F-D4AC-4607-B262-DE19CE6E9F6B.html
Configuring a key provider: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-3D39CBA6-E5B2-43E2-A596-B9A69B094558.html
Trusted launch: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
WAC download: https://www.microsoft.com/en-us/windows-server/windows-admin-center
Configuring single sign-on: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control#configure-single-sign-on

The Author

Christian Knermann is Head of IT-Management at Fraunhofer UMSICHT, a German research institute. He's written freelance about computing technology since 2006.

« Previous 1 2 3 4 5